[ Date Index ]
[ Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
Re: [LUG] OT: XLL file (Excel Add-ins) malware
- To: list@xxxxxxxxxxxxx
- Subject: Re: [LUG] OT: XLL file (Excel Add-ins) malware
- From: "maceion@xxxxxxxxx" <maceion@xxxxxxxxx>
- Date: Fri, 3 Sep 2021 20:03:59 +0100
- Cc: Eion MacDonald <eionmac@xxxxxxxxxxxxxx>
- Content-language: en-GB
- Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dcglug.org.uk; s=1618045561; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:Reply-To:List-Subscribe:List-Help:List-Post:List-Unsubscribe: List-Id:Subject:In-Reply-To:MIME-Version:Date:Message-ID:From:References:To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Owner:List-Archive; bh=ldpAGw4V5dI9yXB2X5rwD0EV72d2sKvJ0j7wOF3dQEI=; b=jBS++nNCD6KQzlyf7wcRoT+7di p6xVA6uqeW0fqCZT1qLma6EnDsWwX8QSbCpwAwqnF3PRpaq8dW7HDFPg9jj3+lz6D/at7+j8nxFKr 8RYH2aZlfkazZHAebSnLTLGLs5SWRfRNg020qV9nGZwadQZsCt+nRl1OFV1rRnL5PwfI=;
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=Ekiq4kqk8ubumZ4r81wEp7TPWEz9j3iYIdWGun+c1UM=; b=HhtkAdq9NWarS3EqVktj1CnJzhwOGE5OCN8AFkO9phxOzzwfbdv95ChF5gJofGukgZ 6po2CRnMbS3GplwAlIB2BCqcHp3uyiVTjcoiOmCu1vMUdOt4Z190MINeSvleHLOJmkpi vmRgirwT4kpjbZItZu0zijjWyD10sH0zMdSKr0DY4kKEVqYKRJdQHao8aQcI0IA2MM5x bV9QYW0gZOnrYwCBlZ+EJyeOSBmC2cdPgdBW9MDABsulhQZXc/Sf9SNWjfa7rhDblDyF Mw8mKfDeFoDdX5+bSPNxkIMSTiLNzghIH0q7Notx/+uzdyI2nMZVPdxZwvhSYpe36fv2 mLsg==
On 03/09/2021 20:01, Simon Waters wrote:
> Having just updated a Linux mail server to reject ".xll" file attachments in
> emails I got to wondering if this is a new vector for infection, or just under
> used? I received a couple of emails today with .XLL attachments, obviously
> malicious.
>
> XLL files have been around since the 90s, but this is the first time I added it
> to my filter, and I usually cull unusual file attachments actually used in
> malware campaigns to stop others without a need for the format from tripping
> up too easily.
>
> Obviously doing this in a mail server doesn't stop people sending it via
> encrypted emails, emails with links, file shares, torrents, etc, but does stop
> simple attachments. The users needing protection most are the ones least
> likely to be able to save and decrypt an encrypted attachment.
>
> A quick search brought it up as being used for malware in July 2021 via a
> different attack vector, so I'm guessing that has attracted attention to the
> format's utility for infection of Excel users.
>
> https://isc.sans.edu/forums/diary/Hancitor+tries+XLL+as+initial+malware+file/
> 27618/
>
>
>
>
>
Many thanks.
--
Regards
Eion MacDonald
--
The Mailing List for the Devon & Cornwall LUG
https://mailman.dcglug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq